.nh
.TH Container Runtime Interface (CRI) CLI
\fBcrictl\fR provides a CLI for CRI-compatible container runtimes. This allows the CRI runtime developers to debug their runtime without needing to set up Kubernetes components.

.PP
\fBcrictl\fR has been GA since \fBv1.11.0\fR and is currently under active development. It is hosted at the cri-tools
\[la]https://github.com/kubernetes\-sigs/cri\-tools\[ra] repository. We encourage the CRI developers to report bugs or help extend the coverage by adding more functionalities.

.PP
The tool expects JSON or YAML encoded files as input and passes them to the
corresponding container runtime using the CRI API protocol
\[la]/vendor/k8s.io/cri\-api/pkg/apis/runtime/v1/api.proto\[ra]\&.

.SH Install crictl
.PP
.RS

.PP
\fBNOTE:\fP The below steps are based on linux-amd64, however you can get downloads for all other platforms (Windows, ARM, etc) in the releases page
\[la]https://github.com/kubernetes\-sigs/cri\-tools/releases\[ra]\&.

.RE

.PP
\fBcrictl\fR can be downloaded from cri-tools release page
\[la]https://github.com/kubernetes\-sigs/cri\-tools/releases\[ra]:
.IP \(bu 2
using \fBwget\fR:

.EX
VERSION="v1.30.0" # check latest version in /releases page
wget https://github.com/kubernetes-sigs/cri-tools/releases/download/$VERSION/crictl-$VERSION-linux-amd64.tar.gz
sudo tar zxvf crictl-$VERSION-linux-amd64.tar.gz -C /usr/local/bin
rm -f crictl-$VERSION-linux-amd64.tar.gz
.EE

.IP \(bu 2
using \fBcurl\fR:

.EX
VERSION="v1.30.0" # check latest version in /releases page
curl -L https://github.com/kubernetes-sigs/cri-tools/releases/download/$VERSION/crictl-${VERSION}-linux-amd64.tar.gz --output crictl-${VERSION}-linux-amd64.tar.gz
sudo tar zxvf crictl-$VERSION-linux-amd64.tar.gz -C /usr/local/bin
rm -f crictl-$VERSION-linux-amd64.tar.gz
.EE

.SH Usage
.EX
crictl [global options] command [command options] [arguments...]
.EE

.PP
COMMANDS:
.IP \(bu 2
\fBattach\fR: Attach to a running container
.IP \(bu 2
\fBcreate\fR: Create a new container
.IP \(bu 2
\fBexec\fR: Run a command in a running container
.IP \(bu 2
\fBversion\fR: Display runtime version information
.IP \(bu 2
\fBimages, image, img\fR: List images
.IP \(bu 2
\fBinspect\fR: Display the status of one or more containers
.IP \(bu 2
\fBinspecti\fR: Return the status of one or more images
.IP \(bu 2
\fBimagefsinfo\fR: Return image filesystem info
.IP \(bu 2
\fBinspectp\fR: Display the status of one or more pods
.IP \(bu 2
\fBlogs\fR: Fetch the logs of a container
.IP \(bu 2
\fBmetricsp\fR: List pod metrics. Metrics are unstructured key/value pairs gathered by CRI meant to replace cAdvisor's /metrics/cadvisor endpoint.
.IP \(bu 2
\fBmetricdescs\fR: List metric descriptors. Returns information about the metrics available through the CRI.
.IP \(bu 2
\fBport-forward\fR: Forward local port to a pod
.IP \(bu 2
\fBps\fR: List containers
.IP \(bu 2
\fBpull\fR: Pull an image from a registry
.IP \(bu 2
\fBrun\fR: Run a new container inside a sandbox
.IP \(bu 2
\fBrunp\fR: Run a new pod
.IP \(bu 2
\fBrm\fR: Remove one or more containers
.IP \(bu 2
\fBrmi\fR: Remove one or more images
.IP \(bu 2
\fBrmp\fR: Remove one or more pods
.IP \(bu 2
\fBpods\fR: List pods
.IP \(bu 2
\fBstart\fR: Start one or more created containers
.IP \(bu 2
\fBinfo\fR: Display information of the container runtime
.IP \(bu 2
\fBstop\fR: Stop one or more running containers
.IP \(bu 2
\fBstopp\fR: Stop one or more running pods
.IP \(bu 2
\fBupdate\fR: Update one or more running containers
.IP \(bu 2
\fBconfig\fR: Get, set and list crictl configuration options
.IP \(bu 2
\fBstats\fR: List container(s) resource usage statistics
.IP \(bu 2
\fBstatsp\fR: List pod statistics. Stats represent a structured API that will fulfill the Kubelet's /stats/summary endpoint.
.IP \(bu 2
\fBcompletion\fR: Output bash shell completion code
.IP \(bu 2
\fBcheckpoint\fR: Checkpoint one or more running containers
.IP \(bu 2
\fBevents, event\fR: Stream the events of containers
.IP \(bu 2
\fBruntime-config\fR: Retrieve the container runtime configuration
.IP \(bu 2
\fBupdate-runtime-config\fR Update the runtime configuration
.IP \(bu 2
\fBhelp, h\fR: Shows a list of commands or help for one command

.PP
\fBcrictl\fR by default connects on Unix to:
.IP \(bu 2
\fBunix:///run/containerd/containerd.sock\fR or
.IP \(bu 2
\fBunix:///run/crio/crio.sock\fR or
.IP \(bu 2
\fBunix:///var/run/cri-dockerd.sock\fR

.PP
or on Windows to:
.IP \(bu 2
\fBnpipe:////./pipe/containerd-containerd\fR or
.IP \(bu 2
\fBnpipe:////./pipe/cri-dockerd\fR

.PP
For other runtimes, use:
.IP \(bu 2
frakti
\[la]https://github.com/kubernetes/frakti\[ra]: \fBunix:///var/run/frakti.sock\fR

.PP
The endpoint can be set in three ways:
.IP \(bu 2
By setting global option flags \fB--runtime-endpoint\fR (\fB-r\fR) and \fB--image-endpoint\fR (\fB-i\fR)
.IP \(bu 2
By setting environment variables \fBCONTAINER_RUNTIME_ENDPOINT\fR and \fBIMAGE_SERVICE_ENDPOINT\fR
.IP \(bu 2
By setting the endpoint in the config file \fB--config=/etc/crictl.yaml\fR

.PP
If the endpoint is not set then it works as follows:
.IP \(bu 2
If the runtime endpoint is not set, \fBcrictl\fR will by default try to connect using:
.RS
.IP \(bu 2
containerd
.IP \(bu 2
cri-o
.IP \(bu 2
cri-dockerd
.RE
.IP \(bu 2
If the image endpoint is not set, \fBcrictl\fR will by default use the runtime endpoint setting

.PP
.RS

.PP
Note: The default endpoints are now deprecated and the runtime endpoint should always be set instead.
The performance maybe affected as each default connection attempt takes n-seconds to complete before timing out and going to the next in sequence.

.RE

.PP
Unix:

.EX
$ cat /etc/crictl.yaml
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 2
debug: true
pull-image-on-create: false
.EE

.PP
Windows:

.EX
C:\\> type %USERPROFILE%\\.crictl\\crictl.yaml
runtime-endpoint: npipe:////./pipe/containerd-containerd
image-endpoint: npipe:////./pipe/containerd-containerd
timeout: 2
debug: true
pull-image-on-create: false
.EE

.SS Connection troubleshooting
Some runtimes might use cmux
\[la]https://github.com/soheilhy/cmux\[ra] for connection
multiplexing, which can cause issues during the initial gRPC
\[la]https://grpc.io\[ra]
connection setup. If it does not seem to be possible to connect to the runtime
\fB*.sock\fR, then exporting the environment variable
\fBGRPC_GO_REQUIRE_HANDSHAKE=off\fR might solve the issue. Please take into account
that the environment has to be preserved when running
via sudo (\fBsudo -E crictl ...\fR).

.SH Additional options
.IP \(bu 2
\fB--timeout\fR, \fB-t\fR: Timeout of connecting to server in seconds (default: \fB2s\fR).
0 or less is interpreted as unset and converted to the default. There is no
option for no timeout value set and the smallest supported timeout is \fB1s\fR
.IP \(bu 2
\fB--debug\fR, \fB-D\fR: Enable debug output
.IP \(bu 2
\fB--help\fR, \fB-h\fR: show help
.IP \(bu 2
\fB--version\fR, \fB-v\fR: print the version information of \fBcrictl\fR
.IP \(bu 2
\fB--config\fR, \fB-c\fR: Location of the client config file (default: \fB/etc/crictl.yaml\fR). Can be changed by setting \fBCRI_CONFIG_FILE\fR environment variable. If not specified and the default does not exist, the program's directory is searched as well
.IP \(bu 2
\fB--enable-tracing\fR: Enable OpenTelemetry tracing (default: \fBfalse\fR)
.IP \(bu 2
\fB--tracing-endpoint\fR: Address to which the gRPC tracing collector will send spans to (default: \fB127.0.0.1:4317\fR)
.IP \(bu 2
\fB--tracing-sampling-rate-per-million\fR: Number of samples to collect per million OpenTelemetry spans. Set to 1000000 or -1 to always sample (default: \fB-1\fR)
.IP \(bu 2
\fB--profile-cpu\fR: Write a pprof CPU profile to the provided path
.IP \(bu 2
\fB--profile-mem\fR: Write a pprof memory profile to the provided path

.SH Client Configuration Options
Use the \fBcrictl\fR config command to get, set and list the \fBcrictl\fR client configuration
options.

.PP
USAGE:

.EX
crictl config [command options] [<crictl options>]
.EE

.PP
For example \fBcrictl config --set debug=true\fR will enable debug mode when giving subsequent \fBcrictl\fR commands.

.PP
COMMAND OPTIONS:
.IP \(bu 2
\fB--get value\fR: Show the option value
.IP \(bu 2
\fB--set value\fR: Set option (can specify multiple or separate values with commas: opt1=val1,opt2=val2)
.IP \(bu 2
\fB--list\fR: Show all option values (default: \fBfalse\fR)
.IP \(bu 2
\fB--help\fR, \fB-h\fR: Show help (default: \fBfalse\fR)

.PP
\fBcrictl\fR OPTIONS:
.IP \(bu 2
\fBruntime-endpoint\fR: Container runtime endpoint (no default value)
.IP \(bu 2
\fBimage-endpoint\fR: Image endpoint (no default value)
.IP \(bu 2
\fBtimeout\fR: Timeout of connecting to server (default: \fB2s\fR)
.IP \(bu 2
\fBdebug\fR: Enable debug output (default: \fBfalse\fR)
.IP \(bu 2
\fBpull-image-on-create\fR: Enable pulling image on create requests (default: \fBfalse\fR)
.IP \(bu 2
\fBdisable-pull-on-run\fR: Disable pulling image on run requests (default: \fBfalse\fR)

.PP
.RS

.PP
When enabled \fBpull-image-on-create\fR modifies the create container command to first pull the container's image.
This feature is used as a helper to make creating containers easier and faster.
Some users of \fBcrictl\fR may desire to not pull the image necessary to create the container.
For example, the image may have already been pulled or otherwise loaded into the container runtime, or the user may be running without a network. For this reason the default for \fBpull-image-on-create\fR is \fBfalse\fR\&.

.PP
By default the run command first pulls the container image, and \fBdisable-pull-on-run\fR is \fBfalse\fR\&.
Some users of \fBcrictl\fR may desire to set \fBdisable-pull-on-run\fR to \fBtrue\fR to not pull the image by default when using the run command.

.PP
To override these default pull configuration settings, \fB--no-pull\fR and \fB--with-pull\fR options are provided for the create and run commands.

.RE

.SH Examples
.IP \(bu 2
Run pod sandbox with config file
\[la]#run\-pod\-sandbox\-with\-config\-file\[ra]
.IP \(bu 2
Run pod sandbox with runtime handler
\[la]#run\-pod\-sandbox\-with\-runtime\-handler\[ra]
.IP \(bu 2
Pull a busybox image
\[la]#pull\-a\-busybox\-image\[ra]
.IP \(bu 2
Filter images
\[la]#filter\-images\[ra]

.SS Run pod sandbox with config file
.EX
$ cat pod-config.json
{
    "metadata": {
        "name": "nginx-sandbox",
        "namespace": "default",
        "attempt": 1,
        "uid": "hdishd83djaidwnduwk28bcsb"
    },
    "log_directory": "/tmp",
    "linux": {
    }
}
.EE

.PP
If the runtime uses systemd as the cgroup driver, set the \fB"cgroup_parent"\fR field in the pod-config, similar to

.EX
$ cat pod-config.json
{
    "metadata": {
        "name": "nginx-sandbox",
        "namespace": "default",
        "attempt": 1,
        "uid": "hdishd83djaidwnduwk28bcsb"
    },
    "log_directory": "/tmp",
    "linux": {
      "cgroup_parent": "/test.slice"
    }
}

$ crictl runp pod-config.json
f84dd361f8dc51518ed291fbadd6db537b0496536c1d2d6c05ff943ce8c9a54f
.EE

.PP
List pod sandboxes and check the sandbox is in Ready state:

.EX
$ crictl pods
POD ID              CREATED             STATE               NAME                NAMESPACE           ATTEMPT
f84dd361f8dc5       17 seconds ago      Ready               nginx-sandbox       default             1
.EE

.SS Run pod sandbox with runtime handler
Runtime handler requires runtime support. The following example shows running a pod sandbox with \fBrunsc\fR handler on containerd runtime.

.EX
$ cat pod-config.json
{
    "metadata": {
        "name": "nginx-runsc-sandbox",
        "namespace": "default",
        "attempt": 1,
        "uid": "hdishd83djaidwnduwk28bcsb"
    },
    "log_directory": "/tmp",
    "linux": {
    }
}

$ crictl runp --runtime=runsc pod-config.json
c112976cb6caa43a967293e2c62a2e0d9d8191d5109afef230f403411147548c

$ crictl inspectp c112976cb6caa43a967293e2c62a2e0d9d8191d5109afef230f403411147548c
\&...
    "runtime": {
      "runtimeType": "io.containerd.runtime.v1.linux",
      "runtimeEngine": "/usr/local/sbin/runsc",
      "runtimeRoot": "/run/containerd/runsc"
    },
\&...
.EE

.SS Pull a busybox image
.EX
$ crictl pull busybox
Image is up to date for busybox@sha256:141c253bc4c3fd0a201d32dc1f493bcf3fff003b6df416dea4f41046e0f37d47
.EE

.PP
List images and check the busybox image has been pulled:

.EX
$ crictl images
IMAGE               TAG                 IMAGE ID            SIZE
busybox             latest              8c811b4aec35f       1.15MB
k8s.gcr.io/pause    3.1                 da86e6ba6ca19       742kB
.EE

.SS Filter images
The following filters are available \fB--filter\fR, \fB-f\fR:
.IP "  1." 5
\fBbefore=<image-name>[:<tag>]|<image id>|<image@digest>\fR
.IP "  2." 5
\fBdangling=(true/false)\fR
.IP "  3." 5
\fBreference=/regex/\fR
.IP "  4." 5
\fBsince=<image-name>[:<tag>]|<image id>|<image@digest>\fR

.PP
Filters can be combined and are applied in the order provided.

.PP
List all images:

.EX
$ crictl images --digests
IMAGE                                                      TAG                 DIGEST              IMAGE ID            SIZE
docker.io/library/busybox                                  latest              538721340ded1       3f57d9401f8d4       4.5MB
docker.io/library/nginx                                    latest              05aa73005987c       e4720093a3c13       191MB
gcr.io/k8s-staging-cri-tools/hostnet-nginx-amd64           latest              aa74ea387dbbe       1ee3f9825c42b       147MB
gcr.io/k8s-staging-cri-tools/test-image-predefined-group   latest              2b2fc189c502a       84410ab6e30d9       5.11MB
registry.k8s.io/e2e-test-images/busybox                    1.29-2              c318242786b13       84eebb9ca1734       1.37MB
registry.k8s.io/e2e-test-images/httpd                      2.4.39-4            3fe7acf013d12       444b9e2765dc9       132MB
registry.k8s.io/e2e-test-images/nginx                      1.14-2              13616070e3f29       02e45a31af51c       17.2MB
registry.k8s.io/e2e-test-images/nonewprivs                 1.3                 8ac1264691820       3e3d1785c0b6e       7.37MB
registry.k8s.io/pause                                      3.9                 7031c1b283388       e6f1816883972       750kB
.EE

.PP
List images by \fBreference\fR:

.EX
$ crictl images --filter 'reference=k8s'
IMAGE                                                      TAG                 IMAGE ID            SIZE
gcr.io/k8s-staging-cri-tools/hostnet-nginx-amd64           latest              1ee3f9825c42b       147MB
gcr.io/k8s-staging-cri-tools/test-image-predefined-group   latest              84410ab6e30d9       5.11MB
registry.k8s.io/e2e-test-images/busybox                    1.29-2              84eebb9ca1734       1.37MB
registry.k8s.io/e2e-test-images/httpd                      2.4.39-4            444b9e2765dc9       132MB
registry.k8s.io/e2e-test-images/nginx                      1.14-2              02e45a31af51c       17.2MB
registry.k8s.io/e2e-test-images/nonewprivs                 1.3                 3e3d1785c0b6e       7.37MB
registry.k8s.io/pause                                      3.9                 e6f1816883972       750kB
.EE

.PP
List images by \fBreference\fR using a regular expression:

.EX
$ crictl images --filter 'reference=nginx'
IMAGE                                              TAG                 IMAGE ID            SIZE
docker.io/library/nginx                            latest              e4720093a3c13       191MB
gcr.io/k8s-staging-cri-tools/hostnet-nginx-amd64   latest              1ee3f9825c42b       147MB
registry.k8s.io/e2e-test-images/nginx              1.14-2              02e45a31af51c       17.2MB
$ crictl images --filter 'reference=.*(nginx)$'
IMAGE                                   TAG                 IMAGE ID            SIZE
docker.io/library/nginx                 latest              e4720093a3c13       191MB
registry.k8s.io/e2e-test-images/nginx   1.14-2              02e45a31af51c       17.2MB
.EE

.PP
Combine multiple \fB--filter\fR arguments together:

.EX
$ crictl images --filter 'reference=nginx' --filter 'reference=\\.k8s\\.'
IMAGE                                   TAG                 IMAGE ID            SIZE
registry.k8s.io/e2e-test-images/nginx   1.14-2              02e45a31af51c       17.2MB
$ crictl images --filter 'since=registry.k8s.io/e2e-test-images/busybox@sha256:c318242786b139d18676b1c09a0ad7f15fc17f8f16a5b2e625cd0dc8c9703daf' --filter 'reference=nginx'
IMAGE                                              TAG                 IMAGE ID            SIZE
docker.io/library/nginx                            latest              e4720093a3c13       191MB
gcr.io/k8s-staging-cri-tools/hostnet-nginx-amd64   latest              1ee3f9825c42b       147MB
.EE

.PP
List images \fBbefore=<image-name>[:<tag>]\fR:

.EX
$ crictl images --filter 'before=gcr.io/k8s-staging-cri-tools/hostnet-nginx-amd64:latest'
IMAGE                                                      TAG                 IMAGE ID            SIZE
gcr.io/k8s-staging-cri-tools/test-image-predefined-group   latest              84410ab6e30d9       5.11MB
registry.k8s.io/e2e-test-images/busybox                    1.29-2              84eebb9ca1734       1.37MB
registry.k8s.io/e2e-test-images/httpd                      2.4.39-4            444b9e2765dc9       132MB
registry.k8s.io/e2e-test-images/nginx                      1.14-2              02e45a31af51c       17.2MB
registry.k8s.io/e2e-test-images/nonewprivs                 1.3                 3e3d1785c0b6e       7.37MB
registry.k8s.io/pause                                      3.9                 e6f1816883972       750kB
.EE

.PP
List images \fBsince=<image-name>[:<tag>]\fR:

.EX
$ crictl images --filter 'since=gcr.io/k8s-staging-cri-tools/hostnet-nginx-amd64:latest'
IMAGE                       TAG                 IMAGE ID            SIZE
docker.io/library/busybox   latest              3f57d9401f8d4       4.5MB
docker.io/library/nginx     latest              e4720093a3c13       191MB
.EE

.PP
List images \fBsince=<image@digest>\fR:

.EX
crictl images --filter 'since=registry.k8s.io/e2e-test-images/busybox@sha256:c318242786b139d18676b1c09a0ad7f15fc17f8f16a5b2e625cd0dc8c9703daf'
IMAGE                                                      TAG                 IMAGE ID            SIZE
docker.io/library/busybox                                  latest              3f57d9401f8d4       4.5MB
docker.io/library/nginx                                    latest              e4720093a3c13       191MB
gcr.io/k8s-staging-cri-tools/hostnet-nginx-amd64           latest              1ee3f9825c42b       147MB
gcr.io/k8s-staging-cri-tools/test-image-predefined-group   latest              84410ab6e30d9       5.11MB
.EE

.SS Create container in the pod sandbox with config file
.EX
$ cat pod-config.json
{
    "metadata": {
        "name": "nginx-sandbox",
        "namespace": "default",
        "attempt": 1,
        "uid": "hdishd83djaidwnduwk28bcsb"
    },
    "log_directory": "/tmp",
    "linux": {
    }
}

$ cat container-config.json
{
  "metadata": {
      "name": "busybox"
  },
  "image":{
      "image": "busybox"
  },
  "command": [
      "top"
  ],
  "log_path":"busybox.0.log",
  "linux": {
  }
}

$ crictl create f84dd361f8dc51518ed291fbadd6db537b0496536c1d2d6c05ff943ce8c9a54f container-config.json pod-config.json
3e025dd50a72d956c4f14881fbb5b1080c9275674e95fb67f965f6478a957d60
.EE

.PP
List containers and check the container is in Created state:

.EX
$ crictl ps -a
CONTAINER ID        IMAGE               CREATED             STATE               NAME                ATTEMPT
3e025dd50a72d       busybox             32 seconds ago      Created             busybox             0
.EE

.SS Start container
.EX
$ crictl start 3e025dd50a72d956c4f14881fbb5b1080c9275674e95fb67f965f6478a957d60
3e025dd50a72d956c4f14881fbb5b1080c9275674e95fb67f965f6478a957d60

$ crictl ps
CONTAINER ID        IMAGE               CREATED              STATE               NAME                ATTEMPT
3e025dd50a72d       busybox             About a minute ago   Running             busybox             0
.EE

.SS Exec a command in container
.EX
crictl exec -i -t 3e025dd50a72d956c4f14881fbb5b1080c9275674e95fb67f965f6478a957d60 ls
bin   dev   etc   home  proc  root  sys   tmp   usr   var
.EE

.SS Create and start a container within one command
It is possible to start a container within a single command, whereas the image
will be pulled automatically, too:

.EX
$ cat pod-config.json
{
    "metadata": {
        "name": "nginx-sandbox",
        "namespace": "default",
        "attempt": 1,
        "uid": "hdishd83djaidwnduwk28bcsb"
    },
    "log_directory": "/tmp",
    "linux": {
    }
}

$ cat container-config.json
{
  "metadata": {
      "name": "busybox"
  },
  "image":{
      "image": "busybox"
  },
  "command": [
      "top"
  ],
  "log_path":"busybox.0.log",
  "linux": {
  }
}

$ crictl run container-config.json pod-config.json
b25b4f26e342969eb40d05e98130eee0846557d667e93deac992471a3b8f1cf4
.EE

.PP
List containers and check the container is in Running state:

.EX
$ crictl ps
CONTAINER           IMAGE               CREATED             STATE               NAME                ATTEMPT             POD ID
b25b4f26e3429       busybox:latest      14 seconds ago      Running             busybox             0                   158d7a6665ff3
.EE

.SS Checkpoint a running container
.EX
$ crictl checkpoint --export=/path/to/checkpoint.tar 39fcdd7a4f1d4
39fcdd7a4f1d4
$ ls /path/to/checkpoint.tar
/path/to/checkpoint.tar
.EE

.SH More information
.IP \(bu 2
See the Kubernetes.io Debugging Kubernetes nodes with crictl doc
\[la]https://kubernetes.io/docs/tasks/debug\-application\-cluster/crictl/\[ra]
.IP \(bu 2
Visit kubernetes-sigs/cri-tools
\[la]https://github.com/kubernetes\-sigs/cri\-tools\[ra] for more information.
